martes, 21 de junio de 2011

It's that time again! The Metasploit team is proud to announce the immediate release of the latest versionof the Metasploit Framework, 3.7.2. Today's release includes eleven new exploit modules and fifteen post modules for your pwning pleasure. Adding to Metasploit's well-known hashdump capabilities, now you can easily steal password hashes from Linux, OSX, and Solaris. As an added bonus, if any of the passwords were hashed with crypt_blowfish (which is the default on some Linux distributions) any time since 1998, they may be considerably easier to crack. For more cracking fun, Maurizio Agazzini and Mubix's hard work has paid off in a new cachedump module. As the name implies, cachedump allows you to steal Windows cached password hashes. They can't be used directly like those obtained with hashdump, but JtR can crack them. If cracking sounds hard regardless of 13 year old bugs and proprietary hash algorithms, you might be interested in the latest post modules from TheLightCosine: they steal passwords from several applications which conveniently store them for lazy users in what is equivalent to plaintext.

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Description: Adobe has released patches for multiple security vulnerabilities affecting multiple products. Adobe has reported that the unspecified memory corruption vulnerability in Adobe Flash is being actively exploited in the wild. That issue was initially reported as an 0-day vulnerability. The Shockwave Player vulnerabilities involve various errors in the handling of malformed Adobe director files. The Reader vulnerabilities involve the vulnerable code blindly trusting malicious attacker-provided lengths in malicious files. By enticing a target to open a malicious file, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine. Code will execute with the permissions of the user running the browser or Reader application.

Description: As part of its patch Tuesday program, Microsoft has released patches addressing vulnerabilities in multiple products.

Included in this month's patches are fixes for code-execution vulnerabilities affecting Internet Explorer. Four vulnerabilities involve memory corruption issues while handling malicious DOM manipulation of a web page; one involves a redirect to a CDL protocol, which causes a crash in Internet Explorer; and another involves a use-after-free vulnerability caused by unsafe handling of unusual values for the layout-grid-char styel property. By enticing a target to view a malicious page, an attacker can exploit these vulnerabilities in order to execute arbitrary code with the permissions of the user running the browser. Microsoft also released patches for its internal SMB client and server, Microsoft Silverlight, and Office Excel; these issues could also be used by an attacker to execute arbitrary code on a target's machine.

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11428 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

Description: Microsoft Lync Server 2010 is a unified communication server. The application is exposed to a command injection issue because it fails to adequately sanitize user-supplied input submitted to the "reachLocale" parameter of the "ReachJoin.aspx" script.

Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable and other versions may also be affected.

Description: Trend Micro Data Loss Prevention is a data management and loss prevention application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Trend Micro Data Loss Prevention 5.5 is vulnerable and other versions may also be affected.

Description: GNOME NetworkManager is an application used for automated networking on Linux platforms. The application is exposed to an information disclosure issue that may allow local attackers to access user passwords from the "/var/log/messages" file. GNOME NetworkManager

The application is exposed to multiple issues because the software fails to properly sanitize user-supplied input. See the reference below for further details. OProfile version 0.9.6 is vulnerable and other versions may also be affected.

Description: HP Operations for UNIX is a set of infrastructure monitoring tools. HP Operations for UNIX is exposed to multiple issues. 1) An unspecified cross-site scripting issue affects the application because if fails to adequately sanitize user-supplied input. 2) An unauthorized access issue affects the application because of an unspecified error. HP Operations for UNIX 9.10 is affected.

Description: D-Bus is an IPC (Inter-Process Communication) system for applications to talk to one another. The application is exposed to a local denial of service issue because of an error while processing messages with a non-native byte order. D-BUS 1.4.10 is vulnerable; other versions may also be affected.

Description: Fabric is a deployment tool implemented in python. Fabric is exposed to an issue because it creates temporary files in an insecure manner. Specifically, the application creates temporary files with predictable file names in world writable directories when uploading template text files and project files to a remote server.

Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The software is exposed to multiple issues.

1) A denial of service issue occurs when sorting columns during packet capturing. 2) A denial of service issue occurs because packet capture from a named pipe fails to properly stop until the next packet is captured. Wireshark versions prior to 1.6.0 are affected.

Description: Ruby on Rails is a web application framework for multiple platforms. Ruby on Rails is exposed to multiple security bypass weaknesses because it fails to properly mark certain strings as "HTML safe". Versions prior to Ruby on Rails 3.0.8 and 2.3.12 are affected.

Description: HP Service Manager is an IT helpdesk application available for multiple platforms. HP Service Center is a web-based IT service management application. The applications are exposed to multiple issues due to insufficient sanitization of user-supplied input. See the reference below for further details. These versions are affected: HP Service Manager v9.21, v9.20, v7.11, v7.02, HP Service Manager client v9.21, v9.20, v7.11, v7.02 running on Windows, HP Service Center v6.2.8 Client running on Windows, HP Service Center v6.2.8.

Description: VLC is a cross-platform media player. The application is exposed to a memory corruption issue because of an integer overflow error in the XSPF playlist file parser. This occurs within the "libplaylist_plugin.dll" file when parsing specially crafted XSPF playlist files. In particular, attackers can exploit this issue by passing a large value to the "id" tag of the XSPF file. VLC Media Player versions 1.1.9 down to 0.8.5 are vulnerable.

Description: The libmodplug library allows various media players to play multiple media formats. The library is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user supplied data before copying it into an insufficiently sized buffer.

Libmodplug 0.8.8.1 is vulnerable and other versions may also be affected.

Description: LuaExpat is a SAX XML parser that is based on the Expat library. Jabberd is exposed to a denial of service issue.

Specifically, the issue occurs because the application fails to handle specially crafted XML data. Applications using the affected parser may consume excessive amounts of system memory when processing large numbers of nested references. Versions prior to jabberd 2.2.14 are vulnerable.

Description: PHP is a scripting language. PHP is exposed to a security bypass issue because the application allows an attacker to delete files from the root directory. Specifically, the issue exists in the "SAPI_POST_HANDLER_FUNC()" function of the "rfc1867.c" file. PHP 5.3.6 is vulnerable and other versions may also be affected.

Description: Opera is a web browser application. The application is exposed to a denial of service issue. This issue occurs when the application processes a webpage containing specially crafted JavaScript code. Opera Web Browser 11.11 is vulnerable; other versions may also be affected.

Description: Adobe ColdFusion is an application for developing websites. The application is exposed to the following issues. 1) An unspecified cross-site request forgery issue because it fails to properly validate HTTP requests. 2) A remote denial of service issue.

Description: Adobe Flash Player is a multimedia application for multiple platforms. The application is exposed to a remote memory corruption issue that can result in arbitrary code execution. Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.3.185.23 and earlier versions for Android are affected.

Description: WebFileExplorer is an ASP-based file manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "User" and "Pass" fields in the admin login page before using the data in an SQL query. WebFileExplorer 3.6 is vulnerable; other versions may also be affected.

Title: HTML Purifier Cross-Site Scripting and Denial of Service Vulnerabilities

Description: HTML Purifier is an HTML filtering application implemented in PHP. The application is exposed to the following issues. 1) Multiple cross-site scripting issues because the application fails to sufficiently sanitize user-supplied input passed to "CDATA" and "cssText/innerHTML" parameters. 2) A denial of service issue exists while handling DOM objects. Specifically, the issue affects the "tokenizeDOM()" function in the "HTMLPurifier/Lexer/DOMLex.php" script.